pwn 0.5.617 → 0.5.618
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +95 -85
- data/README.md.bak +200 -0
- data/documentation/AI-Integration.md +42 -26
- data/documentation/AWS.md +57 -0
- data/documentation/Agent-Tool-Registry.md +56 -0
- data/documentation/Banner.md +17 -0
- data/documentation/Blockchain.md +18 -0
- data/documentation/Bounty.md +21 -0
- data/documentation/BurpSuite.md +41 -16
- data/documentation/CLI-Drivers.md +58 -0
- data/documentation/Configuration.md +66 -0
- data/documentation/Contributing.md +33 -19
- data/documentation/Cron.md +47 -0
- data/documentation/Drivers.md +43 -16
- data/documentation/Extrospection.md +54 -0
- data/documentation/FFI.md +14 -0
- data/documentation/Fuzzing.md +36 -0
- data/documentation/Hardware.md +40 -0
- data/documentation/Metasploit.md +34 -0
- data/documentation/NmapIt.md +18 -12
- data/documentation/PWN.png +0 -0
- data/documentation/PWN_Contributors_and_Users.png +0 -0
- data/documentation/Persistence.md +38 -0
- data/documentation/Plugins.md +97 -47
- data/documentation/Reporting.md +25 -18
- data/documentation/SAST.md +39 -22
- data/documentation/SDR.md +40 -0
- data/documentation/Sessions.md +39 -0
- data/documentation/Skills-Memory-Learning.md +49 -29
- data/documentation/Swarm.md +71 -0
- data/documentation/Transparent-Browser.md +26 -22
- data/documentation/Troubleshooting.md +44 -25
- data/documentation/WWW.md +32 -0
- data/documentation/diagrams/agent-tool-registry.svg +284 -0
- data/documentation/diagrams/aws-cloud-security.svg +166 -0
- data/documentation/diagrams/cron-scheduling.svg +148 -0
- data/documentation/diagrams/dot/hardware-hacking.dot +48 -0
- data/documentation/diagrams/dot/persistence-filesystem.dot +29 -0
- data/documentation/diagrams/extrospection-world-awareness.svg +185 -0
- data/documentation/diagrams/hardware-hacking.svg +163 -0
- data/documentation/diagrams/persistence-filesystem.svg +174 -0
- data/documentation/diagrams/sdr-radio-flow.svg +146 -0
- data/documentation/diagrams/swarm-multi-agent.svg +225 -0
- data/documentation/fax-spectrogram.png +0 -0
- data/documentation/fax-waveform.png +0 -0
- data/documentation/pwn-REPL.md +40 -24
- data/documentation/pwn-ai-Agent.md +59 -30
- data/documentation/pwn_android_war_dialer_session.png +0 -0
- data/documentation/pwn_install.png +0 -0
- data/documentation/pwn_wallpaper.jpg +0 -0
- data/documentation/ringing-spectrogram.png +0 -0
- data/documentation/ringing-waveform.png +0 -0
- data/lib/pwn/version.rb +1 -1
- data/third_party/pwn_rdoc.jsonl +22 -5
- metadata +39 -1
data/documentation/NmapIt.md
CHANGED
|
@@ -1,18 +1,24 @@
|
|
|
1
|
-
# NmapIt
|
|
1
|
+
# `PWN::Plugins::NmapIt`
|
|
2
2
|
|
|
3
|
-
|
|
3
|
+
Thin, composable wrapper over `nmap` with structured XML parsing.
|
|
4
4
|
|
|
5
|
-
|
|
5
|
+

|
|
6
6
|
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
-
|
|
7
|
+
```ruby
|
|
8
|
+
r = PWN::Plugins::NmapIt.port_scan(
|
|
9
|
+
target: '10.0.0.0/24',
|
|
10
|
+
ports: '1-1024',
|
|
11
|
+
service_scan: true,
|
|
12
|
+
script: 'default,vuln',
|
|
13
|
+
output_xml: '/tmp/scan.xml'
|
|
14
|
+
)
|
|
15
|
+
r[:hosts].each { |h| puts "#{h[:ip]} → #{h[:ports].map { |p| p[:portid] }}" }
|
|
16
|
+
```
|
|
11
17
|
|
|
12
|
-
|
|
18
|
+
CLI: `pwn_nmap_discover_tcp_udp -t 10.0.0.0/24 -o out/`
|
|
13
19
|
|
|
14
|
-
|
|
20
|
+
Pairs with `extro_observe` to persist banners for later
|
|
21
|
+
[correlation](Extrospection.md), and with `PWN::Plugins::Sock` /
|
|
22
|
+
`PWN::Plugins::Metasploit` for follow-up.
|
|
15
23
|
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
[[Diagrams]]
|
|
24
|
+
[← Home](Home.md) · [Plugins](Plugins.md)
|
|
Binary file
|
|
Binary file
|
|
@@ -0,0 +1,38 @@
|
|
|
1
|
+
# `~/.pwn/` — Persistence Map
|
|
2
|
+
|
|
3
|
+
Every byte PWN remembers between processes lives here.
|
|
4
|
+
|
|
5
|
+

|
|
6
|
+
|
|
7
|
+
| Path | Owner | Format | Reset tool | Purpose |
|
|
8
|
+
|---|---|---|---|---|
|
|
9
|
+
| `config.yml` | `PWN::Config` | YAML | edit by hand | engines, keys, agent options |
|
|
10
|
+
| `memory.json` | `PWN::Memory` | JSON array | `memory_clear` | facts · prefs · lessons · env — injected into every prompt |
|
|
11
|
+
| `skills/*.md` | `PWN::Config.load_skills` | Markdown + YAML front-matter | `skill_delete` | reusable procedures + `references:` (CWE/CVE/ATT&CK/NIST) |
|
|
12
|
+
| `learning.jsonl` | `PWN::AI::Agent::Learning` | JSON-per-line | `learning_reset` | task outcome log → success_rate |
|
|
13
|
+
| `metrics.json` | `PWN::AI::Agent::Metrics` | JSON | `metrics_reset` | per-tool calls · success · avg_duration · last_error |
|
|
14
|
+
| `extrospection.json` | `PWN::AI::Agent::Extrospection` | JSON | `extro_reset` | host snapshot + previous baseline + observations[] |
|
|
15
|
+
| `sessions/*.jsonl` | `PWN::Sessions` | JSON-per-line | `sessions_delete` | full transcript per pwn-ai run |
|
|
16
|
+
| `cron/jobs.yml` | `PWN::Cron` | YAML | `cron_remove` | scheduled prompt/ruby/script jobs |
|
|
17
|
+
| `cron/log/*.log` | `PWN::Cron` | text | rm | last_run output |
|
|
18
|
+
| `agents.yml` | `PWN::AI::Agent::Swarm` | YAML | edit / `agent_spawn` | persona registry |
|
|
19
|
+
| `swarm/<id>/bus.jsonl` | `Swarm` | JSON-per-line | rm -rf | append-only multi-agent chat |
|
|
20
|
+
| `swarm/<id>/personas.json` | `Swarm` | JSON | rm | persona → session_id map |
|
|
21
|
+
| `~/.pwn_history` | Pry | text | rm | REPL input history |
|
|
22
|
+
|
|
23
|
+
## Back it up
|
|
24
|
+
|
|
25
|
+
```bash
|
|
26
|
+
tar czf pwn-state-$(date +%F).tgz -C "$HOME" .pwn
|
|
27
|
+
```
|
|
28
|
+
|
|
29
|
+
## Start fresh for a new engagement
|
|
30
|
+
|
|
31
|
+
```ruby
|
|
32
|
+
# inside pwn-ai — keeps config & skills, wipes engagement-specific state
|
|
33
|
+
extro_reset(confirm: true) # host snapshot + observations
|
|
34
|
+
learning_reset(confirm: true) # task outcomes (optional)
|
|
35
|
+
metrics_reset(confirm: true) # tool telemetry (optional)
|
|
36
|
+
```
|
|
37
|
+
|
|
38
|
+
[← Home](Home.md) · [Configuration](Configuration.md)
|
data/documentation/Plugins.md
CHANGED
|
@@ -1,59 +1,109 @@
|
|
|
1
|
-
# Plugins
|
|
1
|
+
# `PWN::Plugins` — All 66 Modules
|
|
2
2
|
|
|
3
|
-
|
|
3
|
+
Every plugin is a plain Ruby module of `public_class_method def self.x(opts = {})`
|
|
4
|
+
methods with self-documenting `.help`. Source: `lib/pwn/plugins/*.rb`.
|
|
4
5
|
|
|
5
|
-
|
|
6
|
+

|
|
7
|
+
|
|
8
|
+
## Discover in the REPL
|
|
6
9
|
|
|
7
10
|
```ruby
|
|
8
11
|
PWN::Plugins.constants.sort
|
|
9
|
-
PWN::Plugins::BurpSuite.
|
|
12
|
+
PWN::Plugins::BurpSuite.help
|
|
13
|
+
ls PWN::Plugins::NmapIt
|
|
14
|
+
show-source PWN::Plugins::Fuzz.generate
|
|
10
15
|
```
|
|
11
16
|
|
|
12
|
-
##
|
|
13
|
-
|
|
14
|
-
### Web / Proxy / Scanning
|
|
15
|
-
- **burp_suite** (preferred) — Headless + live interaction with Burp Suite Professional
|
|
16
|
-
- **zaproxy** — OWASP ZAP support (fallback)
|
|
17
|
-
- **transparent_browser** — Headless/visible browser automation, spidering, JS execution
|
|
18
|
-
- **spider**
|
|
19
|
-
- **nmap_it** — Nmap wrapper + parsing
|
|
20
|
-
- **nessus_cloud**, **nexpose_vuln_scan**, **openvas**
|
|
21
|
-
|
|
22
|
-
### Exploitation & Post-Exploitation
|
|
23
|
-
- **metasploit**
|
|
24
|
-
- **assembly**
|
|
25
|
-
- **fuzz**
|
|
26
|
-
- **packet**
|
|
27
|
-
- **beef** (Browser Exploitation Framework)
|
|
28
|
-
- **tor**
|
|
29
|
-
|
|
30
|
-
### Recon / OSINT
|
|
31
|
-
- **shodan**
|
|
32
|
-
- **hunter**
|
|
33
|
-
- **ip_info**
|
|
34
|
-
- **github**
|
|
35
|
-
- **hacker_one**
|
|
36
|
-
|
|
37
|
-
### Data & Auth
|
|
38
|
-
- **authentication_helper**, **basic_auth**, **oauth2**
|
|
39
|
-
- **dao_ldap**, **dao_mongo**, **dao_postgres**, **dao_sqlite3**
|
|
40
|
-
- **vault**
|
|
41
|
-
|
|
42
|
-
### Mobile / Hardware / Misc
|
|
43
|
-
- **android**
|
|
44
|
-
- **serial**, **bus_pirate**, **msr206**
|
|
45
|
-
- **ocr**, **pdf_parse**, **voice**
|
|
46
|
-
- **blockchain**, **bounty** (HackerOne), **defect_dojo**
|
|
17
|
+
## By category
|
|
47
18
|
|
|
48
|
-
###
|
|
49
|
-
|
|
50
|
-
|
|
19
|
+
### Web / Proxy / Browser
|
|
20
|
+
| Module | Purpose | Doc |
|
|
21
|
+
|---|---|---|
|
|
22
|
+
| **`BurpSuite`** ⭐ | Headless + REST control of Burp Pro; active/passive scan | [BurpSuite](BurpSuite.md) |
|
|
23
|
+
| `Zaproxy` | OWASP ZAP (fallback) | — |
|
|
24
|
+
| **`TransparentBrowser`** | Watir/Chrome headless or visible; devtools; proxy-aware | [Transparent-Browser](Transparent-Browser.md) |
|
|
25
|
+
| `Spider` | Recursive crawler | — |
|
|
26
|
+
| `OpenAPI` | Swagger/OpenAPI parse + fuzz targets | — |
|
|
27
|
+
| `URIScheme` | URI helpers | — |
|
|
28
|
+
|
|
29
|
+
### Network
|
|
30
|
+
| Module | Purpose | Doc |
|
|
31
|
+
|---|---|---|
|
|
32
|
+
| **`NmapIt`** | Nmap wrapper + XML parse | [NmapIt](NmapIt.md) |
|
|
33
|
+
| `Sock` | Raw TCP/UDP client; banner grab | — |
|
|
34
|
+
| `Packet` | Craft/sniff L2/L3 (PacketFu) | — |
|
|
35
|
+
| `Tor` | Start/rotate Tor for egress | — |
|
|
36
|
+
| `IPInfo` | Geo/ASN lookup | — |
|
|
37
|
+
|
|
38
|
+
### Exploitation
|
|
39
|
+
| Module | Purpose | Doc |
|
|
40
|
+
|---|---|---|
|
|
41
|
+
| **`Metasploit`** | msfrpcd client; run modules; sessions | [Metasploit](Metasploit.md) |
|
|
42
|
+
| **`Fuzz`** | Mutation/generation fuzzer | [Fuzzing](Fuzzing.md) |
|
|
43
|
+
| `BeEF` | Browser Exploitation Framework hooks | — |
|
|
44
|
+
| `Assembly` | asm ↔ opcodes (multi-arch, keystone/capstone) | — |
|
|
45
|
+
|
|
46
|
+
### OSINT / Recon
|
|
47
|
+
| Module | Purpose |
|
|
48
|
+
|---|---|
|
|
49
|
+
| `Shodan` | host/search/GraphQL introspection |
|
|
50
|
+
| `Hunter` | email discovery |
|
|
51
|
+
| `Github` | code/secret search |
|
|
52
|
+
| `HackerOne` | program/report API |
|
|
53
|
+
|
|
54
|
+
### Data Access / Parsing
|
|
55
|
+
| Module | Purpose |
|
|
56
|
+
|---|---|
|
|
57
|
+
| `DAOLdap` · `DAOMongo` · `DAOPostgres` · `DAOSqlite3` | DB clients |
|
|
58
|
+
| `JSONPathify` | JSONPath query |
|
|
59
|
+
| `PDFParse` · `OCR` | document extraction |
|
|
60
|
+
| `ScannableCodes` | QR/barcode gen/read |
|
|
51
61
|
|
|
52
|
-
|
|
53
|
-
|
|
62
|
+
### Auth / Secrets
|
|
63
|
+
| Module | Purpose |
|
|
64
|
+
|---|---|
|
|
65
|
+
| `OAuth2` · `BasicAuth` · `AuthenticationHelper` | credential flows |
|
|
66
|
+
| `Vault` | HashiCorp Vault |
|
|
67
|
+
|
|
68
|
+
### Hardware / Physical
|
|
69
|
+
| Module | Purpose | Doc |
|
|
70
|
+
|---|---|---|
|
|
71
|
+
| `Serial` · `BusPirate` | UART/SPI/I²C | [Hardware](Hardware.md) |
|
|
72
|
+
| `MSR206` | magstripe reader/writer | [Hardware](Hardware.md) |
|
|
73
|
+
| `Android` | adb push/pull/shell/screencap | [Hardware](Hardware.md) |
|
|
74
|
+
| `BareSIP` · `Voice` | VoIP war-dialing / TTS | [Hardware](Hardware.md) |
|
|
75
|
+
|
|
76
|
+
### CI / DevOps / Vuln-Mgmt
|
|
77
|
+
| Module | Purpose |
|
|
78
|
+
|---|---|
|
|
79
|
+
| `Jenkins` | jobs/views/plugins/users |
|
|
80
|
+
| `Git` | repo helpers |
|
|
81
|
+
| `vSphere` | VMware inventory |
|
|
82
|
+
| `DefectDojo` | import/reimport findings |
|
|
83
|
+
| `BlackDuckBinaryAnalysis` | SBOM + CVE match |
|
|
84
|
+
| `NessusCloud` · `NexposeVulnScan` · `OpenVAS` | commercial/OSS scanners |
|
|
85
|
+
| `JiraDataCenter` | ticket findings |
|
|
86
|
+
|
|
87
|
+
### Comms
|
|
88
|
+
| Module | Purpose |
|
|
89
|
+
|---|---|
|
|
90
|
+
| `MailAgent` · `Pony` | SMTP send |
|
|
91
|
+
| `SlackClient` · `IRC` · `TwitterAPI` | chat/notify |
|
|
92
|
+
| `RabbitMQ` | AMQP |
|
|
93
|
+
|
|
94
|
+
### Utility
|
|
95
|
+
`FileFu` · `ThreadPool` · `Log` · `PwnLogger` · `Char` · `XXD` · `DetectOS` ·
|
|
96
|
+
`CreditCard` · `SSN` · `EIN` · `VIN` · `PS` · `MonkeyPatch` · `REPL`
|
|
54
97
|
|
|
55
|
-
|
|
98
|
+
## Full alphabetical list
|
|
56
99
|
|
|
57
|
-
|
|
100
|
+
`Android Assembly AuthenticationHelper BareSIP BasicAuth BeEF
|
|
101
|
+
BlackDuckBinaryAnalysis BurpSuite BusPirate Char CreditCard DAOLdap DAOMongo
|
|
102
|
+
DAOPostgres DAOSqlite3 DefectDojo DetectOS EIN FileFu Fuzz Git Github
|
|
103
|
+
HackerOne Hunter IPInfo IRC Jenkins JiraDataCenter JSONPathify Log MailAgent
|
|
104
|
+
Metasploit MonkeyPatch MSR206 NessusCloud NexposeVulnScan NmapIt OAuth2 OCR
|
|
105
|
+
OpenAPI OpenVAS Packet PDFParse Pony PS PwnLogger RabbitMQ REPL ScannableCodes
|
|
106
|
+
Serial Shodan SlackClient Sock Spider SSN ThreadPool Tor TransparentBrowser
|
|
107
|
+
TwitterAPI URIScheme Vault VIN Voice Vsphere XXD Zaproxy`
|
|
58
108
|
|
|
59
|
-
[[Diagrams]
|
|
109
|
+
[← Home](Home.md) · [Diagrams](Diagrams.md)
|
data/documentation/Reporting.md
CHANGED
|
@@ -1,28 +1,35 @@
|
|
|
1
|
-
#
|
|
1
|
+
# `PWN::Reports` — Findings Pipeline
|
|
2
2
|
|
|
3
|
-
|
|
3
|
+

|
|
4
4
|
|
|
5
|
-
##
|
|
5
|
+
## Generators (`lib/pwn/reports/*.rb`)
|
|
6
6
|
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
|
|
7
|
+
| Module | Consumes | Emits |
|
|
8
|
+
|---|---|---|
|
|
9
|
+
| `Reports::SAST` | `PWN::SAST::Factory` output | HTML (with `HTMLHeader`/`HTMLFooter`) + JSON |
|
|
10
|
+
| `Reports::Fuzz` | `PWN::Plugins::Fuzz` crash log | HTML + JSON |
|
|
11
|
+
| `Reports::URIBuster` | `pwn_www_uri_buster` output | HTML |
|
|
12
|
+
| `Reports::Phone` | `PWN::Plugins::BareSIP` recon | HTML |
|
|
13
|
+
| `Reports::HTMLHeader` / `HTMLFooter` | — | shared chrome for all HTML reports |
|
|
11
14
|
|
|
12
|
-
##
|
|
15
|
+
## Delivery integrations
|
|
13
16
|
|
|
14
|
-
|
|
17
|
+
| Plugin | Purpose |
|
|
18
|
+
|---|---|
|
|
19
|
+
| `PWN::Plugins::DefectDojo` | `importscan` / `reimportscan` / `engagement_create` (also `bin/pwn_defectdojo_*`) |
|
|
20
|
+
| `PWN::Plugins::JiraDataCenter` | Create issues from findings |
|
|
21
|
+
| `PWN::Plugins::SlackClient` / `MailAgent` | Notify |
|
|
15
22
|
|
|
16
|
-
##
|
|
17
|
-
|
|
18
|
-
Typically invoked at the end of reconnaissance → scanning → exploitation → analysis workflows:
|
|
23
|
+
## Example
|
|
19
24
|
|
|
20
25
|
```ruby
|
|
21
|
-
PWN::
|
|
26
|
+
findings = PWN::SAST::Factory.start(dir_path: './src')
|
|
27
|
+
PWN::Reports::SAST.generate(
|
|
28
|
+
dir_path: './src', results_hash: findings, output_dir: './out'
|
|
29
|
+
)
|
|
30
|
+
PWN::Plugins::DefectDojo.importscan(
|
|
31
|
+
engagement_id: 42, file: './out/report.json', scan_type: 'PWN SAST'
|
|
32
|
+
)
|
|
22
33
|
```
|
|
23
34
|
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
Combined with `PWN::Plugins::HackerOne` / bounty modules for streamlined disclosure workflows.
|
|
27
|
-
|
|
28
|
-
[[Diagrams]]
|
|
35
|
+
[← Home](Home.md) · [SAST](SAST.md) · [Fuzzing](Fuzzing.md)
|
data/documentation/SAST.md
CHANGED
|
@@ -1,32 +1,49 @@
|
|
|
1
|
-
# SAST
|
|
1
|
+
# `PWN::SAST` — Static Application Security Testing
|
|
2
2
|
|
|
3
|
-
|
|
3
|
+
48 language-aware rule modules + a `TestCaseEngine` + a `Factory` loader.
|
|
4
|
+
Source: `lib/pwn/sast/*.rb`. CLI: `bin/pwn_sast`.
|
|
4
5
|
|
|
5
|
-
|
|
6
|
+

|
|
6
7
|
|
|
7
|
-
|
|
8
|
+
## Run it
|
|
8
9
|
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
-
|
|
12
|
-
|
|
13
|
-
- Eval / dangerous functions
|
|
14
|
-
- CSRF, redirect, inner HTML, postMessage issues
|
|
15
|
-
- Log4j, ReDoS, path traversal patterns
|
|
16
|
-
- Credential / secret patterns (keystore, passwords, AWS keys)
|
|
17
|
-
- Modern issues: prototype pollution, etc.
|
|
18
|
-
- Custom signature engine + factory
|
|
19
|
-
|
|
20
|
-
## Usage
|
|
10
|
+
```bash
|
|
11
|
+
# CLI driver
|
|
12
|
+
pwn_sast -d /path/to/src -o /tmp/sast_out
|
|
13
|
+
```
|
|
21
14
|
|
|
22
15
|
```ruby
|
|
23
|
-
|
|
24
|
-
PWN::SAST::
|
|
25
|
-
|
|
16
|
+
# REPL / pwn_eval
|
|
17
|
+
findings = PWN::SAST::Factory.start(dir_path: '/path/to/src')
|
|
18
|
+
PWN::Reports::SAST.generate(dir_path: '/path/to/src',
|
|
19
|
+
results_hash: findings,
|
|
20
|
+
output_dir: '/tmp/sast_out')
|
|
26
21
|
```
|
|
27
22
|
|
|
28
|
-
|
|
23
|
+
## Rule families (48 modules)
|
|
24
|
+
|
|
25
|
+
| Family | Modules |
|
|
26
|
+
|---|---|
|
|
27
|
+
| **Command execution** | `CmdExecutionJava` · `CmdExecutionPython` · `CmdExecutionRuby` · `CmdExecutionGoLang` · `CmdExecutionScala` · `Shell` · `Sudo` |
|
|
28
|
+
| **Web / DOM** | `CSRF` · `Redirect` · `ReDOS` · `InnerHTML` · `OuterHTML` · `LocationHash` · `WindowLocationHash` · `PostMessage` · `LocalStorage` · `BeefHook` |
|
|
29
|
+
| **Injection / eval** | `SQL` · `Eval` · `DeserialJava` · `Log4J` · `PHPInputMechanisms` · `PHPTypeJuggling` · `TypeScriptTypeJuggling` |
|
|
30
|
+
| **Crypto / secrets** | `MD5` · `SSL` · `Keystore` · `PaddingOracle` · `PrivateKey` · `Signature` · `Token` · `Password` · `Base64` · `HTTPAuthorizationHeader` |
|
|
31
|
+
| **Memory / native** | `BannedFunctionCallsC` · `UseAfterFree` |
|
|
32
|
+
| **Infra / meta** | `AWS` · `AMQPConnectAsGuest` · `ApacheFileSystemUtilAPI` · `PomVersion` · `Version` · `Port` · `Logger` · `ThrowErrors` · `TaskTag` · `Emoticon` |
|
|
33
|
+
| **Engine** | `Factory` (loader) · `TestCaseEngine` (probe generator) |
|
|
34
|
+
|
|
35
|
+
## Write a rule
|
|
36
|
+
|
|
37
|
+
Each rule implements `self.scan(opts = {})` taking `dir_path:` and returning an
|
|
38
|
+
array of `{file:, line:, match:, cwe:, severity:}` hashes. Copy any existing
|
|
39
|
+
rule in `lib/pwn/sast/`, add your regex/AST logic, and it's auto-loaded by
|
|
40
|
+
`Factory`.
|
|
41
|
+
|
|
42
|
+
## Downstream
|
|
43
|
+
|
|
44
|
+
`PWN::Reports::SAST` → HTML + JSON → `PWN::Plugins::DefectDojo.importscan` →
|
|
45
|
+
`PWN::Plugins::JiraDataCenter` tickets.
|
|
29
46
|
|
|
30
|
-
See
|
|
47
|
+
**See also:** [Reporting](Reporting.md) · [CLI Drivers](CLI-Drivers.md)
|
|
31
48
|
|
|
32
|
-
[
|
|
49
|
+
[← Home](Home.md)
|
|
@@ -0,0 +1,40 @@
|
|
|
1
|
+
# `PWN::SDR` — Software-Defined Radio & RF
|
|
2
|
+
|
|
3
|
+

|
|
4
|
+
|
|
5
|
+
## Modules (`lib/pwn/sdr/*.rb`)
|
|
6
|
+
|
|
7
|
+
| Module | Purpose |
|
|
8
|
+
|---|---|
|
|
9
|
+
| **`GQRX`** | Remote-control a running GQRX instance over TCP: tune, set demod, squelch, record, `get_spectrum_snapshot` (pure-Ruby FFT), scan ranges |
|
|
10
|
+
| `FlipperZero` | Serial control of Flipper (sub-GHz, NFC, IR, iButton) |
|
|
11
|
+
| `RFIDler` | 125 kHz RFID reader/emulator |
|
|
12
|
+
| `SonMicroRFID` | SM130 13.56 MHz reader |
|
|
13
|
+
| `FrequencyAllocation` | ITU/FCC band-plan lookup — "what lives at 433.92 MHz?" |
|
|
14
|
+
| `Decoder::*` | Demodulator/protocol helpers |
|
|
15
|
+
|
|
16
|
+
## CLI
|
|
17
|
+
|
|
18
|
+
```bash
|
|
19
|
+
pwn_gqrx_scanner --start 430e6 --stop 440e6 --step 12.5e3 --mode fast
|
|
20
|
+
pwn_gqrx_scanner --start 118e6 --stop 137e6 --mode iterative --squelch -60
|
|
21
|
+
```
|
|
22
|
+
|
|
23
|
+
See skill `pwn_gqrx_scanner_fast_vs_iterative_scanning` for the trade-off.
|
|
24
|
+
|
|
25
|
+
## REPL example
|
|
26
|
+
|
|
27
|
+
```ruby
|
|
28
|
+
g = PWN::SDR::GQRX.connect(host: '127.0.0.1', port: 7356)
|
|
29
|
+
PWN::SDR::GQRX.set_freq(gqrx_sock: g, freq: 433_920_000)
|
|
30
|
+
PWN::SDR::GQRX.set_demod(gqrx_sock: g, demod: 'AM')
|
|
31
|
+
snap = PWN::SDR::GQRX.get_spectrum_snapshot(gqrx_sock: g)
|
|
32
|
+
PWN::SDR::FrequencyAllocation.lookup(freq: 433_920_000)
|
|
33
|
+
# => { band: 'ISM 433', typical: ['garage doors', 'weather stations', …] }
|
|
34
|
+
```
|
|
35
|
+
|
|
36
|
+
Record signal intel with `extro_observe(source: 'gqrx', category: 'recon', …)`.
|
|
37
|
+
|
|
38
|
+
**See also:** [Hardware](Hardware.md) · [Extrospection](Extrospection.md)
|
|
39
|
+
|
|
40
|
+
[← Home](Home.md)
|
|
@@ -0,0 +1,39 @@
|
|
|
1
|
+
# Sessions — Transcript Persistence
|
|
2
|
+
|
|
3
|
+
Every `pwn-ai` conversation (top-level *and* per-persona in a Swarm) is
|
|
4
|
+
appended as JSON-per-line to `~/.pwn/sessions/<id>.jsonl`.
|
|
5
|
+
|
|
6
|
+

|
|
7
|
+
|
|
8
|
+
## Why keep transcripts?
|
|
9
|
+
|
|
10
|
+
- `learning_reflect(session_id:)` mines them for durable lessons → Memory.
|
|
11
|
+
- `learning_distill_skill(name:, session_id:)` turns a winning run into a
|
|
12
|
+
reusable Skill.
|
|
13
|
+
- `sessions_view` lets you (or a later agent) re-read exactly what happened.
|
|
14
|
+
- Swarm maps each persona to its own session so its private context survives
|
|
15
|
+
across `agent_ask` calls.
|
|
16
|
+
|
|
17
|
+
## Tools
|
|
18
|
+
|
|
19
|
+
| Tool | Purpose |
|
|
20
|
+
|---|---|
|
|
21
|
+
| `sessions_current` | The id *this* conversation is being written to |
|
|
22
|
+
| `sessions_list(limit:)` | Newest-first index (id · size · mtime · lines) |
|
|
23
|
+
| `sessions_view(session_id:, truncate:)` | Read entries |
|
|
24
|
+
| `sessions_delete(session_id:)` | Prune noisy/dev transcripts so `reflect` corpus stays clean |
|
|
25
|
+
| `sessions_stats` | totals across the whole directory |
|
|
26
|
+
|
|
27
|
+
## File format
|
|
28
|
+
|
|
29
|
+
```json
|
|
30
|
+
{"role":"system","ts":"2026-07-07T22:08:02Z","content":"…"}
|
|
31
|
+
{"role":"user","ts":"…","content":"…"}
|
|
32
|
+
{"role":"assistant","ts":"…","content":"…","tool_calls":[…]}
|
|
33
|
+
{"role":"tool","ts":"…","name":"shell","content":"…"}
|
|
34
|
+
```
|
|
35
|
+
|
|
36
|
+
**See also:** [Skills, Memory & Learning](Skills-Memory-Learning.md) ·
|
|
37
|
+
[Swarm](Swarm.md) · [Persistence](Persistence.md)
|
|
38
|
+
|
|
39
|
+
[← Home](Home.md)
|
|
@@ -1,44 +1,64 @@
|
|
|
1
|
-
# Skills
|
|
1
|
+
# Memory · Skills · Learning · Metrics — Introspection
|
|
2
2
|
|
|
3
|
-
|
|
3
|
+
The **inward-facing** half of the pwn-ai feedback loop: how the agent measures
|
|
4
|
+
its own performance and turns wins into permanent capability.
|
|
4
5
|
|
|
5
|
-
|
|
6
|
+

|
|
6
7
|
|
|
7
|
-
|
|
8
|
+
## The four stores
|
|
8
9
|
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
10
|
+
| Store | File | Write tool | Read tool | Injected as |
|
|
11
|
+
|---|---|---|---|---|
|
|
12
|
+
| **Memory** | `memory.json` | `memory_remember` | `memory_recall` | `MEMORY` block — durable facts / prefs / lessons / env |
|
|
13
|
+
| **Skills** | `skills/*.md` | `skill_create` · `learning_distill_skill` | `skill_list` · `skill_view` | `SKILLS` list — reusable procedures + `references:` (CWE/CVE/ATT&CK/NIST/URL) |
|
|
14
|
+
| **Learning** | `learning.jsonl` | `learning_note_outcome` · `learning_reflect` | `learning_outcomes` · `learning_stats` | `LEARNING` block — recent outcomes + success_rate |
|
|
15
|
+
| **Metrics** | `metrics.json` | *automatic* (every Dispatch) | `metrics_summary` | `TOOL EFFECTIVENESS` block — steer tool choice |
|
|
12
16
|
|
|
13
|
-
|
|
17
|
+
## The lifecycle of a lesson
|
|
14
18
|
|
|
15
|
-
|
|
19
|
+
```text
|
|
20
|
+
1. Dispatch runs a tool → Metrics.record(tool, ok?, ms)
|
|
21
|
+
2. Final answer produced → Learning.auto_reflect(session_id)
|
|
22
|
+
3. Reflect finds a durable insight → Memory.remember(lesson_xxxx, …)
|
|
23
|
+
4. A whole workflow succeeded → Learning.distill_skill(name, session_id, references:)
|
|
24
|
+
5. Next launch: PromptBuilder injects all four blocks → the model already knows.
|
|
25
|
+
```
|
|
16
26
|
|
|
17
|
-
|
|
27
|
+
## Skill file format
|
|
18
28
|
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
-
|
|
29
|
+
```markdown
|
|
30
|
+
---
|
|
31
|
+
references:
|
|
32
|
+
- CWE-89
|
|
33
|
+
- T1190
|
|
34
|
+
- https://portswigger.net/web-security/sql-injection
|
|
35
|
+
---
|
|
36
|
+
# sqli_union_enum
|
|
23
37
|
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
- `xai_grok_oauth_device_flow`
|
|
38
|
+
1. Confirm injection with `' AND 1=1 --`.
|
|
39
|
+
2. Find column count with `ORDER BY n`.
|
|
40
|
+
3. …
|
|
28
41
|
|
|
29
|
-
##
|
|
42
|
+
## References
|
|
43
|
+
- CWE-89
|
|
44
|
+
- T1190
|
|
45
|
+
```
|
|
30
46
|
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
47
|
+
`PWN::Config.parse_skill_references` reads both the YAML front-matter **and**
|
|
48
|
+
the `## References` section, deduplicates, and exposes them via
|
|
49
|
+
`skill_view(name)[:references]`.
|
|
34
50
|
|
|
35
|
-
##
|
|
51
|
+
## Housekeeping
|
|
36
52
|
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
53
|
+
| Tool | When |
|
|
54
|
+
|---|---|
|
|
55
|
+
| `learning_consolidate(max_entries: 200)` | MEMORY block getting long/noisy |
|
|
56
|
+
| `learning_reset(confirm: true)` | dev-experiment noise polluted success_rate |
|
|
57
|
+
| `metrics_reset(confirm: true)` | fixed a broken tool; stale 0 % is misleading |
|
|
58
|
+
| `skill_delete(name)` | auto-distilled skill turned out low-quality |
|
|
59
|
+
| `learning_auto_reflect_toggle(enabled: false)` | during noisy fuzz loops |
|
|
41
60
|
|
|
42
|
-
|
|
61
|
+
**See also:** [Extrospection](Extrospection.md) — the outward-facing half ·
|
|
62
|
+
[Sessions](Sessions.md) · [Persistence](Persistence.md)
|
|
43
63
|
|
|
44
|
-
[
|
|
64
|
+
[← Home](Home.md)
|
|
@@ -0,0 +1,71 @@
|
|
|
1
|
+
# Swarm — Native Multi-Agent Orchestration
|
|
2
|
+
|
|
3
|
+
`PWN::AI::Agent::Swarm` replaces the legacy `pwn-irc` (inspircd + weechat +
|
|
4
|
+
PRIVMSG) transport with **first-class sub-agents** built directly on
|
|
5
|
+
`PWN::AI::Agent::Loop`. Each persona is a *full* tool-calling agent — Memory,
|
|
6
|
+
Skills, Learning, Metrics and Extrospection all apply — so the
|
|
7
|
+
self-improvement loop covers the whole swarm.
|
|
8
|
+
|
|
9
|
+

|
|
10
|
+
|
|
11
|
+
## Files
|
|
12
|
+
|
|
13
|
+
| Path | Contains |
|
|
14
|
+
|---|---|
|
|
15
|
+
| `~/.pwn/agents.yml` | Persona registry (name → role/engine/toolsets/max_iters) |
|
|
16
|
+
| `~/.pwn/swarm/<id>/bus.jsonl` | Append-only chat every persona reads/writes |
|
|
17
|
+
| `~/.pwn/swarm/<id>/personas.json` | persona name → `PWN::Sessions` id |
|
|
18
|
+
|
|
19
|
+
No daemon. Cross-session / cross-process communication == another `pwn-ai` (or
|
|
20
|
+
a `PWN::Cron` job) calling `Swarm.ask` with the same `swarm_id`.
|
|
21
|
+
|
|
22
|
+
## Define personas
|
|
23
|
+
|
|
24
|
+
```ruby
|
|
25
|
+
agent_spawn(name: 'red_team',
|
|
26
|
+
role: 'Offensive operator. Propose the most aggressive next step.',
|
|
27
|
+
engine: 'grok',
|
|
28
|
+
toolsets: %w[terminal pwn memory skills extrospection])
|
|
29
|
+
|
|
30
|
+
agent_spawn(name: 'blue_team',
|
|
31
|
+
role: 'Defender. Critique red_team, flag detection risk & OPSEC.',
|
|
32
|
+
engine: 'anthropic',
|
|
33
|
+
toolsets: %w[pwn memory extrospection])
|
|
34
|
+
```
|
|
35
|
+
|
|
36
|
+
> Omit `swarm` from a persona's toolsets to stop it recursively spawning
|
|
37
|
+
> further sub-agents. Recursion is also hard-capped by
|
|
38
|
+
> `PWN::Env[:ai][:agent][:max_depth]` (default 3).
|
|
39
|
+
|
|
40
|
+
## Verbs
|
|
41
|
+
|
|
42
|
+
| Tool | Use for |
|
|
43
|
+
|---|---|
|
|
44
|
+
| `agent_list` | See who's defined |
|
|
45
|
+
| `agent_spawn` | Define / overwrite a persona |
|
|
46
|
+
| `agent_ask(name, request)` | One turn of one persona → reply comes back to *you* |
|
|
47
|
+
| `agent_debate(names, topic, rounds:)` | Round-robin critique — each sees the bus tail |
|
|
48
|
+
| `agent_broadcast(request)` | Fan-out; returns `{name => reply}` for voting |
|
|
49
|
+
| `swarm_bus(swarm_id)` | Tail a bus to inspect a prior/concurrent conversation |
|
|
50
|
+
| `swarm_list` | Find a `swarm_id` to resume |
|
|
51
|
+
|
|
52
|
+
## Example: adversarial exploit review
|
|
53
|
+
|
|
54
|
+
```ruby
|
|
55
|
+
tx = agent_debate(
|
|
56
|
+
names: %w[red_team blue_team exploit_dev],
|
|
57
|
+
topic: 'Target runs Jenkins 2.426.2 on :8080 — plan initial access.',
|
|
58
|
+
rounds: 3
|
|
59
|
+
)
|
|
60
|
+
# later, in a different pwn-ai process:
|
|
61
|
+
agent_ask(name: 'red_team', swarm_id: tx[:swarm_id],
|
|
62
|
+
request: 'blue_team raised WAF concerns — revise the payload.')
|
|
63
|
+
```
|
|
64
|
+
|
|
65
|
+
Because each persona can pin a **different engine**, the debate is real model
|
|
66
|
+
diversity, not one model role-playing.
|
|
67
|
+
|
|
68
|
+
**See also:** [pwn-ai Agent](pwn-ai-Agent.md) ·
|
|
69
|
+
[Agent Tool Registry](Agent-Tool-Registry.md) · [Sessions](Sessions.md)
|
|
70
|
+
|
|
71
|
+
[← Home](Home.md)
|